We use cookies and web analysis software to give you the best possible experience on our website. By continuing to browse this website, you consent for these tools to be used. For more details and how to opt out of these, please read our Data protection policy.

Data Protection

Thank you for your interest in our website and our company. Although we carefully check external links, we are not liable for the content and security of these external links.

We protect your personal information as best we can when collecting, processing and during your visit to our website. Your data is protected by law. Below you will find explanations on the nature of the information collected when you visit our website and how they are used.

General information on data protection in Austria

As of May 25, 2018, the General Data Protection Regulation, briefly GDPR, will apply in the European Union. It contains regulations regarding the processing and the protection of your personal data. This document provides you with the essential information regarding data protection in a summarized form.

What is GDPR?

The GDPR is a regulation of the European Union. It is directly applicable in every member state of the EU, hence also in Austria. Every natural person can refer to the GDPR if his/ her data is being processed. Detailed information can be found here.

What does the GDPR regulate?

The GDPR contains regulations on processing of you personal data. This includes for example your name, phone number, your account turnover or your hobbies – all of this is protected by the GDPR. The principles stipulated by the GDPR regulate how your personal data can be stored or processed. Detailed information can be found here.

Why is there still an Austrian data protection law (DSG 2018)?

No only has the European Union adpoted the GDPR, but it has introdcuced a complete data protection package. A part of this package was the new data protection guideline. What differs a guideline from a regulation? A guideline has to be translated into national law in order to become effective. Furthermore, the GDPR leaves room for the member states to manage certain aspects in more detail.

Austria is covered both by the “Datenschutz-Anpassungsgesetz 2018” (DSG or DSG 2018) as well as the GDPR. If appropriate for you, we will always consider the DSG 2018 as well for you.

Why is it important to protect my data?

Data protection is a basic right. Your right of data protection is anchored in the EU-Charter of Fundamtenal Rights the same way as your right to freedom and right to safety. The EU-Charter of Fundamental Rights is valid between you and state institutions.

Furthermore, it is legally accepted that the private and business sector also have to ensure a balanced relationship of interest between data processor and data subject – e.g. between you and your bank. These rules can be found in the GDPR and DSG 2018.

Personal data provide a lot of information about us: our hobbies, preferences and dreams may become apparent. Evidently, this is worth protecting. However, we are only able to improve our services for you individually, if we understand your preferences. A core element of data protection is to find a common ground on how your personal data can be processed in your interest under our supervision.

A core element of data protection is that we can together find a way in which we can process your data in your interest and under your supervision. Further information can be found here.

Is the bank secrecy law not valid anyhow in Austria?

Yes, all information provided to us over the course of our business relationship is protected by the Austrian bank secrecy law – acc. to § 38 BWG. The GDPR complements this law.

Good to know: The release of bank secrecy is only valid if conducted in written form – see §38 paragraph 2 point 5 BWG. “Written” means:

Signature by one’s own hand e.g. “ink and paper” or

Qualified electronic signature, e.g. “mobile signature”or

Strong client authentication in digital banking e.g. temporarily with password and TAC SMS; CardTAN or sIdentify-method in George

Basic principles and terms in data protection law

(All links as of May 2018)

In order to talk about data protection, it is important to clarify basic definitions. We have listed the corresponding Articles of the GDPR, so you can read up on them in case you are interested. Please note that we only show summarized versions of the text. The full text of GDPR can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

What is “personal data”?

“Personal data” is all information that relates to an identifiable natural person („data subject“). An identifiable person is a natural person that can be identified directly or indirectly, by Name or identification number such as IBAN or account ID.

This information can be found in Art. 4 point 1 GDPR.

What is „data processing“?

The term “processing” covers every procedure in the context of personal data that is conducted with or without automated processing. This includes for instance collecting, capturing, organizing, sorting, storing adapting or changing, reading out, requesting, using, publishing (transmitting, spreading or another form of making data available), comparing, linking, limiting or deleting.

This information can be found in Art. 4 point 2 GDPR.

What is a “data controller”?

The term “data controller” comprises every natural or legal person, authority or institution that decides upon the purpose and way of processing personal data either alone or together with other institutions. We as a bank for instance are a data controller.

This information can be found in Art. 4 point 7 GDPR.

What is a “data processor”?

The term “data processor” comprises every natural or legal persons, authority or institution that processes personal data on behalf of a data controller.

Image and sound data, e.g. video records, recorded telephone conversations and your photo (if you have consented to the taking of your photo), etc.

Processing results to fulfil the contracts and consents

Data to satisfy legal and regulatory specifications

Please consider: The above is a general enumeration. We do not possess all of the data mentioned above. For a detailed, individual, overview, you have the right to access and may request the overview from us.

Where does the personal data we process come from?

Most of the personal data that we process about you has been provided by yourself, ultimate beneficial owners, authorized signatories or other representative of your company: for example when opening the account, taking out a loan, conducting security transactions, agreeing on an appointment, in a request on our websites, etc.

Apart from that, the data may come from the following sources:

Debtor directories, such as CRIF GmbH

Publicly available sources, e.g. company register, land register, insolvency file, register of associations

From other institutions of the Erste Group Bank AG, Erste Bank and Sparkasse for the risk control and consolidation in the credit institute group according to the Banking Act and the Capital Adequacy Regulation EU 575/2013

In addition, we may receive data from state authorities or from persons on behalf of the government such as criminal courts, prosecutions or court commissioners.

For which purposes and on the basis of which legal foundation are my personal data processed?

We are a credit institution according to section 1 subsection 1 Banking Act and article 4 subsection 1 number 1 of the Regulation (EU) 575/2013. Here, the designations “bank” and “credit institution” are synonymous. Within the scope of these activities, we process your personal data. This means in detail:

Processing for the contract performance

Depending on the type of contract concluded with you, we are allowed to offer certain services for you. There may for example be credit agreements or account agreements. For this purpose, we have to process your data. As versatile as our offer, as numerous are the underlying contracts. So the scope of the data processing is defined in the contractual documents and terms and conditions.

Processing to satisfy a legal obligation

We may also be required to process your personal data by legal regulations and purposes, e.g.:

Recording of telephone conversations and electronic communication in securities transactions such as the acceptance, transfer and execution of customer orders according to the Securities Supervision Act 2018 or also in securities trade on one’s own account

Information in criminal proceedings to the prosecutions and courts as well as to authorities prosecuting tax offences due to intentional financial offences: Banking Act, Criminal Procedure Code, Law on Financial Crime

Processing due to a legitimate interest

There is also a legitimate interest in the data processing by us or third parties in the following cases:

Recording of telephone conversations, e.g. for complaints or for the documentation of so-called declarations relevant for the transaction, e.g. card blocking

Calculation of your financing potential in order to use it for innovative online credit offers

The processing of personal data for direct marketing may also be a legitimate interest.
Processing on the basis of consent

If there is neither a contract nor a legal obligation or legitimate interest, the data processing may still be legitimate: i.e. in cases in which you have granted us your consent and/or approval. The scope and content of this data processing always result from the relevant consent. It is decisive that you can withdraw your consent at any time.

The withdrawal, however, does not affect the lawfulness of the processing based on this consent before its withdrawal. That means in other words that a withdrawal does not have any effect on the past.

Am I obliged to provide my personal data? What happens if I don’t want to do so?

For our business relationship, we need your personal data or the personal data of a representative of your company (ultimate beneficial owner, authorized signatories, etc.). If we do not know your name and your address, we are, for example, not able to pursue mail correspondence with you. If we are not able to check your identity, we are not allowed to establish a business relationship by law. So you see: In cases in which it is required for the business relationship based on a contract or a legal regulation, we have to process some personal data. If you do not consent, we may, unfortunately, possibly not be allowed to render or offer certain products or services.

Is there decision-making based on automated processing– e.g. profiling?

At the beginning or during our business relationship, we do not use any automated decision-making according to article 22 GDPR.

To whom do you transfer my personal data?

Your personal data may be transferred to:

Credit institutions, departments and persons (employees and vicarious agents) within the Sparkasse group, Erste Bank and Erste Group Bank AG who need these data for the contractual, legal or supervisory performance of duties as well as for the protection of legitimate interests

Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Supervisor, European Central Bank, Austrian Financial Market Supervision, financial authorities, etc.

Third parties commissioned by us, e.g. for IT and back office services as well as bank auditors if they need them for their task. Third parties are contractually obliged to treat your data confidentially and to only process them within the scope of the service provision

Third parties if this is binding for the contract performance or due to legal regulations, e.g. of the recipient of a bank transfer and their payment service provider

The data may also be transferred to third parties if you have consented to the transmission

Are my personal data transferred to a third country?

Our processors may cooperate with sub- processors in third countries, e.g. in India. These sub-processors are obliged to comply with Austrian data protection and security standards.

What security measures are adhered to in the context of data processing?

Data protection and data security is important to us. We have taken all technical and organizational measures in order to protect our data processing. This specifically includes protection of your personal data. They are protected from unauthorized or illegal processing, accidental loss, accidental destruction or damage. These measure, for example, include application of modern security software and encryption methods, physical access control and precautionary measures to prevent external and internal attacks.

Practical tips on how you may support in protecting your personal data can be found here.

Cookies: Cookies are used in various locations on our website. Cookies are small text files that recognize users when they use the website again. However, no personal details, such as name or address, are stored. They cannot be identified by the information in question.

We use cookies to tailor our offers to your needs and to analyze how these offers are used. You can set your browser to consult you before the use of a cookie, or to generally block the use of cookies. You can also use our website www.erstegroup.com without cookies.

Social networks: We work with different social networks. If you use these social networks, your browser automatically connects to the network. It transmits your IP address as well as other information, such as e.g. cookies, if you have previously visited the platform in question.

As far as possible, we avoid this type of data transfer until you actually interact with one of the platforms. By clicking on the relevant icon (e.g. facebook logo) you indicate that you are ready to communicate with the selected platform and that information about you, such as your IP address, is transmitted to this social network.

Web analytics: For an anonymous, statistical evaluation of the flow of visitors to the websites, we transfer personal data to the service provider Webtrekk GmbH. You can prevent this forwarding of your data.

Your Rights

Which Rights do I have?

The GDPR grants the following rights regarding your personal data or the personal data of the company representative or other representative of your company (ultimate beneficial owner, authorized signatories, etc.) of whom we process personal data. You are entitled to:

Access according to article 15 GDPR

Rectification according to article 16 GDPR

Erasure according to article 17 GDPR

Restriction of the processing according to article 18 GDPR

Data portability according to article 20 GDPR

Object according to article 21 GDPR

Decisions that are not exclusively based on an automated processing - including profiling according to article 22 GDPR

What does Right to Access mean?

This means you have the right to ask for confirmation as to whether we process your personal information. If this is the case, you also have the right to access this personal data and to the following information:

Processing purposes

Categories of personal data being processed

Recipients or categories of recipients to whom the personal data have been disclosed or are yet to be disclosed, in particular to recipients in third countries or to international organizations

If possible, the planned duration for which the personal data will be stored or, if that is not possible, the criteria for determining the duration

The right to rectify or erase your personal data; restriction or objection to this processing

Right to appeal to a supervisory authority

All available information on the origin of the personal data, if the data is not collected from the data subject

Whether there is automated decision-making including profiling, in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information on the logic, scope and impact of such processing on the data subject

It is important to us that your data is always correct and complete. If you suspect that they are incorrect or incomplete, you can request that the data be corrected or completed. How to do that you can find here.

What do „Right to Erasure“ and „Right ot be Forgotten“ mean?

We attach great importance to your data being processed only within the framework of the GDPR and the DSG 2018. However, if you believe that this is not the case, you can request the erasure of your personal data. The reasons can be:

The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

Example: Your personal data must be deleted if it was collected exclusively for the purpose of processing a purchase (= sole purpose) and you have not consented to this data being processed for other purposes. In this case, it is no longer necessary to process the data after completion of the purchase and after expiry of the retention period which can be found here.

You revoke the consent on which the processing is based, pursuant to Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing.

Example: You have agreed that your personal data may be processed for individual third-party product offerings (= sole purpose). Once you revoke this consent, your personal information must be deleted. Exceptions: other purposes or justifications for processing exist and you are, for example, also in a customer relationship with the third party.

You object to the processing, according to Article 21 (1) GDPR, and there are no legitimate reasons for the processing.

For example, you may object if, someone processes your personal information without your consent simply because he believes that he / she has a legitimate interest in it (and there is no justification otherwise). If you object and there was no legitimate interest, the personal data must be deleted. The objection was successful.

The personal data were processed unlawfully.

Illegally ("without reason") processed personal data must be deleted.

The deletion of personal data is subject to a legal obligation under EU law or the law of the Member States of those responsible.

This means laws or other legal regulations that require the deletion of personal data.

The personal data were collected in relation to the society for information services offered pursuant to Article 8 (1) of the GDPR.

This is a special protection rule in favor of minors using online services.

In short, that was the right to erasure. This should not be confused with the "right to be forgotten".

The "right to be forgotten" refers to publicly-made-available personal information. It states: If the person who originally published the data needs to delete this data (because of one of the reasons for deletion mentioned above), then it must additionally inform those persons who received the data as a result of the publication, that deletion is required. This rule is quite complicated. The GDPR refers, in particular, to internet search engines in this regard.

We find great importance to always process your data within the framework of the GDPR and the DSG 2018. However, if you believe that this is not the case, you have the right to request that your personal data be restricted. However, this only applies to the following legitimate reasons:

You deny the accuracy of your personal information. For the duration of time necessary for those responsible to verify the accuracy of their personal information, you may request that processing be restricted.

You do not always agree with the accuracy of the data. However, in order for the contentious personal data not to be deleted or changed immediately, further processing may be restricted for the duration of the matter. Maybe it turns out that the data was accurate.

The processing of personal data is unlawful. Instead of deleting, you "only” want to restrict the use of personal data.

The GDPR gives you the right to vote: If you do not want unauthorized processed data to be deleted right away, then you can request that it be saved but no longer used.

Persons responsible no longer need your personal data for processing. However, you need the information to assert, exercise or defend your rights.

If your personal information should be deleted, but you need it for your own defense or enforcement, it may be processed for that purpose.

You have objected to the processing under Article 21 (1) GDPR. As long as it is not certain whether the legitimate reasons of the person responsible outweigh your interests, the restriction of processing may be required.

In order to avoid disputed personal data being deleted immediately, further processing may be restricted for the duration of the matter. Maybe it turns out that the processing was justified.

Your personal information is yours. You therefore have the right to receive this data in a structured, common and machine-readable format. This concerns data that you have provided to us and that is processed automatically on the basis of your consent or due to a contract fulfillment. You may also request that we transfer this personally identifiable information directly to another entity.

In which format do I receive this data?

We provide the data as an .XML file. Further information can be found here.

What important safety instructions should I take note of?

The protection of your personal data and your money is just as important to us as it is to you. Therefore, please consider your right to data portability as an account statement. Would you send it "just like that" to someone else?

Please also remember that your financial data contains personal data of other persons: If you have transferred money to someone, this is also evident in the transferred data - as well as on a bank statement. These people also have rights and freedoms. Therefore, we will only transmit your data to other persons than you only if,

you specifically instruct us to do so

you release us from banking secrecy and

the beneficiary is another financial company, law firm, notary, tax consultancy or business trustee or a public authority.

Please contact us in advance if you would like to transfer your data to third parties so that we can clarify all the details.

Our tip: Note that you can always use your transaction data in George e.g. of accounts, credit cards, financings or securities accounts and store it independently. So you always have an up-to-date overview.

What does the Right of Objection mean?

Your data may be processed if there is a legitimate interest.

If such a legitimate interest is asserted, you must be informed. If you then believe that the ground for legitimate interest does not exist, you can object to it. This applies in particular if your personal data is used for direct mail. If responsible persons can prove no legitimate reasons for further processing, your personal data may no longer be processed after the objection.

What does the right to, not being solely subjected to automated individual decision making (including profiling), mean?

We do not use automated decision-making under Art. 22 DSGVO for decisions on the establishment and implementation of the business relationship, see here. The right to object to this is therefore not applicable.

How and where can I claim my rights?

What information do I have to give?

In order to prevent that your financial data falls into the wrong hands or that your data is deleted against your will, we need to authentificate your identity for each request. We kindly ask for your understanding that in case of doubt, we will request more information regarding your identity. This also serves your protection, to only give authorised persons access to your data.

How can I submit the application?

No matter which right you want to assert, you can send us your application in three ways

Please write your request as precise as possible – so that we can process it quickly. Please note the special instructions for Right for data portability.

How long does the processing of my request take?

We will provide you with the relevant information without delay but in any event within one month of receipt.

In case of complexity and high number of request, the deadline maybe extended by another two months if necessary.

How is my application processed?

Financial affairs are a matter of trust – unfortunately, emails are not always trustworthy. Emails are more like a postcard when it comes to security. Since we do not want to send your bank details on a postcard, we will send you the information by post.

What needs to be taken into account when it comes to the right to data portability?

Please remember that your financial data contains personal data of other persons: If you transfer money to relatives or acquaintances, it is also reflected in the transferred data – as well as on a bank statement.

We only send the data directly to others if you

you specifically instruct us to do so

you release us from banking secrecy and

the beneficiary is another financial company, law firm, notary, tax consultancy or business trustee or a public authority. Before you exercise your right to data portability: Did you know that in George you can view your transaction data anyway and save it yourself?

Does it cost me anything if I assert my rights?

No, the applications are done free of charge. Exceptions: Only if the request are manifestly unfounded or excessive, we are entitled to demand a reasonable fee. This takes into account the administrative costs of notifying, refusing or implementing the requested measure.

Are there any possibilities to complain?

For all complaints, questions and suggestions on data protection, our data protection officer is reachable. We are convinced that a common solution to almost any problem can be found.

If you do not receive a timely answer to an application or if you are of the opinion that we have not handled your application legitimately or if you think that your right to data protection has been violated, you may also lodge a complaint with the responsible supervisory authority:

In addition, any person who has suffered material or immaterial damage as a result of a data breach of the GDPR shall be entitled to claim damages against the person responsible or the processor of the GDPR. In detail, the general provisions of civil law apply. Please note that the Austrian data protection authority is not responsible for claims of damages, but the local state court of your municipality. However, petitions and lawsuits may also be filed with the regional court in whose district the defendant has their habitual residence, registered office or branch office. Which court is competent, can be found here: https://www.justiz.gv.at/